From 48dab7aa3327e137174a058fd020ba89fd45a0e8 Mon Sep 17 00:00:00 2001
From: Azat Khuzhin <a3at.mail@gmail.com>
Date: Wed, 22 Jun 2016 15:48:51 +0300
Subject: [PATCH 1/2] test/buffer: cover evbuffer_expand() for overflow

Refs: #306
Refs: #340
---
 test/regress_buffer.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/test/regress_buffer.c b/test/regress_buffer.c
index 2f57c3b5..1af75f53 100644
--- a/test/regress_buffer.c
+++ b/test/regress_buffer.c
@@ -708,6 +708,23 @@ end:
 	evbuffer_free(buf);
 }
 
+static void
+test_evbuffer_expand_overflow(void *ptr)
+{
+	struct evbuffer *buf;
+
+	buf = evbuffer_new();
+	evbuffer_add(buf, "1", 1);
+	evbuffer_expand(buf, EVBUFFER_CHAIN_MAX);
+	evbuffer_validate(buf);
+
+	evbuffer_expand(buf, EV_SIZE_MAX);
+	evbuffer_validate(buf);
+
+end:
+	evbuffer_free(buf);
+}
+
 static void
 test_evbuffer_add1(void *ptr)
 {
@@ -2494,6 +2511,7 @@ struct testcase_t evbuffer_testcases[] = {
 	{ "reserve_many2", test_evbuffer_reserve_many, 0, &nil_setup, (void*)"add" },
 	{ "reserve_many3", test_evbuffer_reserve_many, 0, &nil_setup, (void*)"fill" },
 	{ "expand", test_evbuffer_expand, 0, NULL, NULL },
+	{ "expand_overflow", test_evbuffer_expand_overflow, 0, NULL, NULL },
 	{ "add1", test_evbuffer_add1, 0, NULL, NULL },
 	{ "add2", test_evbuffer_add2, 0, NULL, NULL },
 	{ "reference", test_evbuffer_reference, 0, NULL, NULL },

From a3f4ccd1a16d855353c9f555f15111c9186facc2 Mon Sep 17 00:00:00 2001
From: Azat Khuzhin <a3at.mail@gmail.com>
Date: Tue, 21 Jun 2016 19:49:57 +0300
Subject: [PATCH 2/2] buffer: fix overflow check in
 evbuffer_expand_singlechain()

Refs: #306
Fixes: #340
Fixes: 20d6d4458bee5d88bda1511c225c25b2d3198d6c
---
 buffer.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/buffer.c b/buffer.c
index 6786f902..1a35fb21 100644
--- a/buffer.c
+++ b/buffer.c
@@ -1982,8 +1982,7 @@ evbuffer_expand_singlechain(struct evbuffer *buf, size_t datlen)
 	/* Would expanding this chunk be affordable and worthwhile? */
 	if (CHAIN_SPACE_LEN(chain) < chain->buffer_len / 8 ||
 	    chain->off > MAX_TO_COPY_IN_EXPAND ||
-	    (datlen < EVBUFFER_CHAIN_MAX &&
-		EVBUFFER_CHAIN_MAX - datlen >= chain->off)) {
+		datlen >= (EVBUFFER_CHAIN_MAX - chain->off)) {
 		/* It's not worth resizing this chain. Can the next one be
 		 * used? */
 		if (chain->next && CHAIN_SPACE_LEN(chain->next) >= datlen) {